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PATENT APPLICATION 

PRELIMINARY AMENDMENT 

AMENDMENTS TO THE CLAIMS 

This listing of claims will replace all prior versions and listings of claims in the 

application: 

LISTING OF CLAIMS: 

1. (Original) A method of sending a digital message between a sender and a recipient in a 
public-key encryption scheme comprising the sender, the recipient and an authorizer wherein the 
digital message is encrypted by the sender and decrypted by the recipient, the method 
comprising: 

(a) generating a recipient public key/ recipient private key pair; wherein the 
recipient private key is a secret of the recipient; 

(b) generating a recipient encryption key; 

(c) selecting a key generation secret that is a secret of the authorizer; 

(d) generating a recipient decryption key using at least the key generation 
secret and the recipient encryption key, wherein a key formed from the recipient 
decryption key and a key formed from the recipient encryption key are a public key/ 
private key pair; 

(e) encrypting the digital message using at least the recipient public key and 
the recipient encryption key to create an encrypted digital message; and 

(f) decrypting the encrypted digital message using at least the recipient private 
key and the recipient decryption key. 
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2. (Ongina,) The method of Cairn 1, where,n t he recipient encryption hey is 
generated from information compnsing the identity of the recrpient. 

3 (Origrna.) The method of claim 1, wherein the recipient encryption key is 

decryption key. 

4 . (Ongma.) The method of Cairn 1. wherein the recipten. encryption hey is 
generated from information comprising the reciprent public key. 

5 (Original) The method of Cairn 1. wherein the recipten. encryption key is 

a parameter defining a validity period for the recipient decryption key 

6 . (Original) The method of Cairn 1. wherein the recipient decryption key is 
generated hy .he anthorizer according .o a schednle known .0 .he sender. 

7 . (Ongina,) The melhod of claim 6, wheretn the recipien. encryption key is 
generated nsing a. least information comprising the schednle. 

8 . (Original, Themethodofdaim !, wherein the rectpien. private key, pnbhc key 

(Original) Themethodofclatml.whereintherecipientdecryptionkeyis 
generated by a method comprising: 
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(a) generating a first cyclic group Gi of elements and a second cyclic group 
G2 of elements; 

(b) selecting a function e capable of generating an element of the second 
cyclic group G2 from two elements of the first cyclic group Gi; 

(c) selecting a generator P of the first cyclic group Gi; 

(d) selecting a random key generation secret sc associated with and known to 
authorizes 

(e) generating a key generation parameter Q - sc P\ 

(f) selecting a first function H\ capable of generating an element of the first 
cyclic group Gi from a first string of binary digits; 

(g) selecting a second function H2 capable of generating a second string of 
binary digits from an element of the second cyclic group G2; 

(h) generating an element P B = Hi(Inf B ), wherein Inf B comprises a string of 
binary digits; and 

(i) generating a secret element S = s c Pb associated with the recipient; wherein 
the secret element is the recipient decryption key. 

10. (Original) The method of claim 9, wherein Mb comprises the identity of the 
recipient, rD rec , the recipient public key, and a parameter defining a validity period for the 
recipient decryption key. 



6 



Atty. Docket No. C A 1261 
PATENT APPLICATION 

PRELIMINARY AMENDMENT 

11. (Original) The method of claim 9, wherein both the first group Gi and the second 
group G 2 are of the same prime order q. 

12. (Original) The method of claim 9 wherein the first cyclic group Gi is an additive 
group of points on a supersingular elliptic curve or abelian variety, and the second cyclic group 
G2 is a multiplicative subgroup of a finite field. 

13. (Original) The method of claim 9 wherein the function e is a bilinear, non- 
degenerate, and efficiently computable pairing. 

14. (Original) The method of claim 9 wherein: 
5c is an element of the cyclic group Z IqZ ; 

Q is an element of the second cyclic group G2; 
element Pb is an element of the first cyclic group Gi;and 
the secret element S is an element of the first cyclic group Gi. 

15. (Original) The method of claim 9, wherein the digital message M is encrypted by 
a method comprising: 

generating the element P' B = Hr(rD rec ), wherein ID re c comprises the identity of the 
recipient and wherein Hy is a function capable of generating an element of the first cyclic group 
Gi from a string of binary digits; 

selecting a random key generation secret r; and 

encrypting the digital message M to form a ciphertext C; wherein C is set to be: 
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C = [rP, M 0 H 2 (g r )], where g = e(Q, P B )£(s B P, P' B )e G 2 . 

16. (Original) The method of claim 1, wherein the recipient encryption key is 
generated from a document and the recipient decryption key is the authorizer's signature on the 
document. 

17. (Original) The method of claim 9, wherein the digital message M is encrypted by 
a method comprising: 

generating the element P' B = H r (ID r ec) wherein H v is a function capable of generating 
an element of the first cyclic group Gi from a string of binary digits; 
choosing a random parameter og {0,1 } n ; 
set a random key generation secret r - H 3 (g, M); and 

encrypting the digital message M to form a ciphertext C; wherein C is set to be: 

C = [rP, M 0 H 2 (g r ), E H4(c)(M)], where g = e(Q, P B )e(s B P, G 2 , wherein H 3 is a 

function capable of generating an integer of the cyclic group Z IqZ from two strings of binary 

digits, H4 is a function capable of generating one binary string from another binary string, E is a 
secure symmetric encryption scheme, and H4(c) is the key used with E. 

18. (Original) A method of sending a digital message between a sender and a 
recipient in a public-key encryption scheme comprising the sender, the recipient and a plurality 
of authorizers, the plurality of authorizers including at least a root authorizer and n lower-level 
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authorizes in a hierarchy between the root authorizer and the recipient, wherein n > 1, the 

method comprising: 

(a) generating a recipient public key/ private key pair for the recipient; 
wherein the recipient private key is a secret of the recipient; 

(b) generating a recipient encryption key using identity information of at least 
one of the recipient's ancestors; 

(c) selecting a root key generation secret that is a secret of the root authorizer; 

(d) generating a root key generation parameter based on the root key 
generation secret; 

(e) generating a recipient decryption key such that the recipient decryption 
key is related to the recipient encryption key, the root key generation secret and the 
associated root key generation parameter; 

(f) encrypting the digital message using the recipient public key and a 
recipient encryption key to create an encrypted digital message, wherein a key formed 
from the recipient decryption key and a key formed from the recipient encryption key are 
a public key/ private key pair; and 

(h) decrypting the encoded digital message to recover the digital message 
using at least the recipient private key and the recipient decryption key. 

19. (Original) The method of claim 18, wherein the recipient encryption key is 
generated from information comprising the identity of the recipient. 
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20. (Original) The method of claim 18, wherein the recipient encryption key is 
generated from information comprising a parameter defining a validity period for the recipient 
decryption key. 

2 1 . (Original) The method of claim 1 8, wherein the recipient encryption key is 
generated from information comprising the recipient public key. 

22. (Original) The method of claim 18, wherein the recipient encryption key is 
generated from information comprising the identity of the recipient, the recipient public key, and 
a parameter defining a validity period for the recipient decryption key. 

23. (Original) The method of claim 18, wherein the recipient decryption key is 
generated according to a schedule known to the sender. 

24. (Original) The method of claim 18, wherein the recipient private key/ public key 
pair is generated using system parameters issued by the authorizer. 

25. (Original) The method of claim 18, wherein the recipient decryption key is 
related to the root key generation secret and the associated root key generation parameter. 

26. (Original) The method of claim 18, wherein the plurality of authorizers further 
includes at least m lower-level authorizers in the hierarchy between the root authorizer and the 
sender, wherein m > 1, and wherein / of the m authorizers in the hierarchy are common ancestors 
to both the sender and the recipient, wherein authorizer is the lowest common ancestor authorizer 
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between the sender and the recipient, and wherein I > 1, the method further comprising: 

selecting a lower-level key generation secret for each of the m lower-level authorizes in 
the hierarchy between the root authorizer and the sender; and 

generating a sender decryption key such that the sender decryption key is related to at 
least the root key generation secret and one or more of the m lower-level key generation secrets 
associated with the m lower-level authorizes in the hierarchy between the root authorizer and the 
sender; 

wherein the message is encrypted using at least sender decryption key and one or more of 
the lower-level key generation parameters associated with the (m - 1 +1) authorizes between the 
root authorizer and the sender that are at or below the level of the lowest common ancestor 
authorizer, but not using any of the lower-level key generation parameters that are associated 
with the (/ - 1) authorizes above the lowest common ancestor authorizer ,; and 

wherein the ciphertext is decrypted using at least the recipient decryption key and one or 
more of the lower-level key generation parameters associated with the (» - 1 + 1) authorizes 
between the root authorizer and the sender that are at or below the level of the lowest common 
ancestor authorizer, but not using any of the lower-level key generation parameters that are 
associated with the (I - 1) authorizes that above the lowest common ancestor authorizer,. 

27. (Original) A method of generating a decryption key for an entity in an encryption 
system including a plurality of authorizes, the plurality of authorizes including at least a root 
authorizer and n lower-level authorizes in the hierarchy between the root authorizer and the 
entity, wherein n > 1, the method comprising: 
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generating a root key generation secret that is known to the root anthorizer; 

generating a root key generation parameter based on the root key generation see,* 

generating a .ower-leve. key generation seere, for eaeh of the . lower-.eve) author, 
.Herein eaeh iower-.eve, key generation seere, ,s known to Us assorted lower-level anthorizer; 

generating a lower-leve, key generation parameter for each of the n iower-level 
authonzers, wherein ench lower-ievel key generation parameter is generated nsing a. .east the 
,„wer-level key generation secret for its associated lower-level anthorizer, 

establishing a decryption key generation schedme defining a vahdity penod for a 

decryption key for the entity; 

generating the decryption key for the entity such that the decryption key is related to at 
,east the too, key generation secret and one or more of the lower-.eve, key generation secrets; 
and 

providing the decryption key to the entity. 

28. (Original) The method of claim 27, wherein the decryption key for the entity is 
related a parameter establishing a validity period. 

29. (Original) A method of generating a deeryption key for a reetp.en. « in an 
encryption system, wherein the recipient z is n + l levels below a root anthorizer in the h.erarcby, 

and wherein the recipient is associated with a reeiptent ID-,nple OB, HW - **- 

identity —on DW. «» — ^ ^ 
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with each of . .ower-.evel au.honz.rs in the hierarchy between rhe root au.honzer and the 
recipient, the method comprising: 

se.ec.ing a function , capabfe of generating an elenren. of .he second cyc.ic group G, 
from two elements of the first cyclic group Gi; 

selecting a roo. generator Po of the first cyclic groupO,; 

selecting a randonr root key generation secre, so associated wi.h and known ,o .he roo. 
authorizer; 

generating a root key generation parameter Q, = s 0 Po\ 

seiecting a first function Hi capable of generating an dement of the first cyclic group G, 

from a first string of binary digits; 

.electing a second function * capable of generating a second s.nng o, binary digifs from 

an element of die second cyclic group G 2 ; 

generating a element P 0 for each of .he , lower-leve. authorizes, wherein 

P„ i = H,(ID,,.... H>„) for IS'Sn; 

Meeting a lower-leve. key generation secre. H for each of .he . lower-.eve, authorize*, 
whenein each lower-leve, key generation secre. * , known .0 its assoc,a,ed lower-.eve, 
authorizer; 

generating a lower-leve, secre. elemen. * for each of the . lower-leve. au.honzers, 

. r, a , o p fnr 1 < i < n, wherein So- Qo\ 
wherein S a = S<M) + s&\)Ta tor 1 _ i - «. 
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generating a lower-level key generation parameter Q zi for each of the n lower-level 

authorizes, wherein Q zi = s z ,Po for 1 < « < n; 

generating a reeipient element P a „.„ = H,(H> S „ .... ID*.,, 1"W associated with the 
recipient, wheretn P*,.,, is an element of the first cyclic gronp G, and wheretn W<„„ is a string 

of binary digits; and 

generating a recipient decryption key 
c _c + c P =Y" +1 s P associated with the recipient. 

30. (Original) The method of claim 29, wherein the recipient element 

- ftOR* . . • . HW and wheretn Inf (n+1) comprises the identity of the recipient 

and a validity period for the identity-based decryption key. 

31. (Original) The method of claim 29, wherein Inf (n+1) further comprises a recipient 
public key generated by the recipient. 

32. (Original) The method of claim 29, wherein both the first group G, and the 
second group G 2 are of the same prime order q. 

33. (Original) The method of claim 29, wherein the first cyclic group G, is an 
additive group of points on a supersmgular elliptic curve or abelian variety, and the second cyclic 
group G 2 is a multiplicative subgroup of a finite field. 
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34. (Original) The method of claim 29, wherein: the function e is a bilinear, non- 
degenerate, and efficiently computable pairing. 

35. (Original) The method of claim 29, wherein: 
5 0 is an element of the cyclic group Z IqZ ; 

<2o is an element of the first cyclic group G,; 

each of the elements P zi is an element of the first cyclic group G,; 

each of the lower-level key generation secrets s zi is an element of the cyclic group 

Z IqZ ; 

each secret element S zi is an element of the first cyclic group Ch; 

each of the lower-level key generation parameters Q zi is an element of the first cyclic 

group Gu 

the recipient element P z (n+1) is an element of the first cyclic group Gf, and 
the recipient decryption key S z( „ +1) is an element of the first cyclic group G,. 

36. A method of encrypting and decrypting a digital message M commumcated 
between a sender y and a recipient z in a hierarchical eertificate-based encryption system, 
wherein the recipient z is n + l levels below a root authorizer in the hierarchy, and wherein the 
recipient is associated with a recipient ID-tuple (ID zl , . . . , nW that includes identity 
information ID z(n+1) associated with the recipient and identity information ID, associated with 
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each of . .ower-leve. authorize, in the hierarchy between the root authorizer and the reciptent, 

the method comprising: 

generaung a recipient pnblic key/ private key pair for the recipient; wherein the rectpient 

private key is known to the recipient; 

generating a firs, cyclic gronp G, of elements and a second cyclic group G 2 of elements; 

selecting a function I capable of generating an element of the second cyclic group G 2 
from two elements of the first cyclic group G,; 

selecting a root generator Po of the first cyclic group G, ; 

selecting a random root key generalion secret * associated with and known to the root 
authorizer; 

generating a root key generation parameter Qo = sqPo', 

selecting a first function H\ capable of generating an element of the first cyclic group Gi 

from a first string of binary digits; 

selecting a second function ft capable of generaling a second stnng of binary digits from 

an element of the second cyclic group G 2 ; 

generating an element P zi for each of the n lower-level CAs, wherein 
p a = // 1 (lDi,...,ID z/ )forl<i<n; 

selecting a lower-level key generation secret * for each of the n lower-level authonzers, 
wherein each lower-level key generation secret * is known to its associated lower-level 
authorizer; 
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generating a lower-level secret element 5 ZI for each of the n lower-level authorizes, 
wherein S zi = S z(l -i) + 5 z(M) P z! for 1 < i < n, wherein Sw= Qo\ 

generating a lower-level key generation parameter Q zi for each of the n lower-level 
authorizes, wherein Q zi = s zi P 0 for 1 < i < n; 

generating a recipient element P z{n+l) = H,(ID zl , . . . , ED z(n) , Inf ( „ +1) ) associated with the 
recipient, wherein P z{n+l) is an element of the first cyclic group G, and wherein Inf (n+1) is a string 
of binary digits; 

generating a recipient secret element 5 j(n+1) = S m + S w r J(lltl) = 2j W ^^i-n z> associa 
with the recipient, wherein Inf (n+1) comprises a validity period for the recipient secret element; 

encoding the digital message to generate a ciphertext using at least the recipient public 
key, the root encryption parameter Q 0 and Inf (n+ i); and 

decoding the ciphertext C to recover the digital message M using at least the recipient 
private key, the lower-level key generation parameters Q zi and the recipient secret element S z(n+i) . 

37. (Original) The method of claim 36 wherein: both the first group Gi and the 
second group G 2 are of the same prime order q. 

38. (Original) The method of claim 36, wherein: 

the first cyclic group G, is an additive group of points on a supersingular elliptic curve or 
abelian variety, and the second cyclic group G 2 is a multiplicative subgroup of a finite field. 
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39. The method of claim 36, wherein: 

the function e is a bilinear, non-degenerate, and efficiently computable pairing. 

40. The method of claim 36, wherein: 
so is an element of the cyclic group Z IqZ ; 

<2o is an element of the first cyclic group Gr, 

each of the elements P zi is an element of the first cyclic group Or, 

each of the lower-level key generation secrets s zi is an element of the cyclic group 

Z IqZ ; 

each secret element S zi is an element of the first cyclic group O,; 

each of the lower-level key generation parameters Q zi is an element of the first cyclic 

group d; 

the recipient element P z (n+1) is an element of the first cyclic group O, ; and 
the recipient secret element S z(n+1) is an element of the first cyclic group G,. 

41. (Original) The method of claim 36, wherein encoding the message M further 

comprises: 

selecting a random parameter r; and 

generating the ciphertext C =[rP, V], wherein V=M © H 2 (g r ), wherein 

rc+1 



g=e(P'B, SBP)n" =1 § ( Pj ' 5z( - ,)P) 
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wherein s B ? is the recipient public key, P'b is MnW and F^H^^P, Inf(n + 1)); 

and 

decoding the ciphertext C further comprises: 
recovering the digital message M from 
M = V 0 H 2 (e(rP, S z(n+ i))). 

42. (Original) The method of claim 36, wherein both the first group O, and the 
second group G 2 are of the same prime order q. 

43. (Original) The method of claim 36, wherein the first cyclic group O, is an 
additive group of points on a supersingular elliptic curve or abelian vanety, and the second cyclic 
group G 2 is a multiplicative subgroup of a finite field. 

44. (Original) The method of claim 36, wherein the function e is a bilinear, non- 
degenerate, and efficiently computable pairing. 

45. (Original) The method of claim 36, wherein: 
s 0 is an element of the cyclic group Z IqZ ; 

Q 0 is an element of the first cyclic group Or, 

each of the elements P a is an element of the first cyclic group G,; 

each of the lower-level key generation secrets s d is an element of the cyclic group 

Z IqZ ; 



19 



Atty. Docket No. CA1261 
PATENT APPLICATION 

PRELIMINARY AMENDMENT 

each secret element S, is an element of the first cyclic group Ch; 

each of the lower-level key generation parameters Q zi is an element of the first cyclic 

group Of, 

the recipient element P z(n+1) is an element of the first cyclic group Of, 

the recipient secret element S z( „ +1) is an element of the first cyclic group Or, 

r is an element of the cyclic group Z IqZ ; and 



g is an 



element of the second cyclic group G 2 . 



46. (Original) The method of claim 36, further comprising: 

selecting a third function H 3 capable of generating an integer of the cyclic group Z /«Z 

from a two strings of binary digits; and 

selecting a fourth taction H, eapable of generating one binary string from another binary 

string; 

wherein encoding the message M further comprises: 
choosing a random parameter a e {0,1 } n ; 
set a random key generation secret r = H 3 (o, M); and 
generating the ciphertext C = [Uo. V* . . • , U t , V, W], wherein U 0 = rs B P and 
Ut = rP zi for 2 < i < n + l, wherein V = M© H 2 (g0, and wherein g = a(fio. and ,bP is the 
recipient public key, wherein g - HQ* P d ). and wherein W = E „ 4(C) (M), E is a secure symmetric 
encryption scheme, and H^, is the key used with E; and 

wherein decoding the ciphertext C further comprises: 
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e(U 0 ,S z(n+l) ) 



recovering 



the random binary string a using G - V ® H 2 



and 

recovering the message M using M = E ! H4 (c) (W). 
47. (Original) The method of claim 46, wherein both the first cyclic group <* and the 
second cyclic group G 2 are of the same prime order q. 

48 (Original) The method of claim 46, wherein the first cyclic group O, is an 
additive group of points on a supersingular elliptic curve or abelian variety, and the second cyclic 
group G 2 is a multiplicative subgroup of a finite field. 

49. (Original) The method of claim 46, wherein the function e is a bilinear, non- 
degenerate, and efficiently computable pairing. 

50. (Original) The method of claim 46, further comprising authenticating the 

ciphertext C by: 

computing an experimental random integer r' = H 3 (<r, ™ d 

continuing that U 0 = r'P 0 and Ui = r'P zi for 2 < i < n + l. 
51. (Original) The method of claim 46, wherein: 
So is an element of the cyclic group Z IqZ ; 
go is an element of the second cyclic group G 2 ; 
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each of the elements P zi is an element of the first cyclic group Of, 

each of the lower-level key generation secrets *i. an element of the cyclic group 

Z IqZ : 

each secret element S, is an element of the firs, cyclic gronp G, ; 

each of the lower-leve, key generation parameters & is an element of .he firs, cycUc 

group Or, 

t p i « an element of the first cyclic group Gi ; 
the recipient element P z ( „+i) is an eiemeiu ui 

f c ^ an element of the first cyclic group Gr, 
the recipient secret element S z( „ + n is an element ui 

r is an element of the cyclic group Z IqZ \ and 
g is an element of the second cyclic group G 2 . 

52 (Original) The method of claim 26, wherein the plurahty of authonzers further 
includ esatleast,lower-leveI authorize, in the hierarchy between the root authorizer and the 
send ery,wherein,>_Lwhereinlofthe authonzers, the hrerarchy are common hierarcMcal 

assoc iatedwi^^ 

jo^^^^y^^ 1 ^ dwitheachof " 

lowe r-levelauthorizersinthehierarchybe^ 
further comprising: 
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generating an element P yi for each of the m lower-level authorizes, wherein 

Pyi = HiQDfi , • • . . n*> for 1 * f * m> and wherein Pyi = Pzi for aU 1 " /; 

selecting a lower-level key generation secret s yi for each of the m lower-level authorize 

wherein = s zi for all i < 

generating a tower-level secret element S y , for eaeh of the m lower-level authorize*, 

wherotn S„ = S*,.„ + 1 S ^ m, and wherein S„ = S„ for all i < I; 

generattng a lower-leve. key generation parameter ft for each of the * tower-level CAs, 
wheretn ft, = for 1 < i < m , and wherein ft, = & for all i < I, 

generattng a sender element P^t, = H,(ID y , DW -ocia.ed w»h the 

sender y; 

c c 4. c P = V m+1 5 P associated 

generating a sender secret element i y(m+1) - o ym + * ym^cm+i) Z-w » 

with the sender; wherein Inf !( „„ compnses a validity pcnod for the recipten, sec., element; 

encodtng me message M to generate a ciphers, C using at least the information 
compnsing Inf,„„ and the ,ower-,eve, key generation parameters ft for i^ and the sender 
secret elenten, S^, W not using the .ower-tove! key generation parameter ft for i < I; and 
decoding the ciphertex. C to recover the message if ustng a. leas, the recipten, private 
k ey and .he lower-ieve, key generation parameters & for , * 1 and .he tecipien. secret eienren, 
S^,,, but no. using the lower-level key generation parameters & for i < '■ 

53. (Original) The method of claim 52, wherein both the tint, cyclic group G, and the 
second cyclic group G 2 are of the same prime order q. 
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54. (Original) The method of claim 52, wherein the first cyclic group O, is an 



additive group of points on a supersingular elliptic curve or abelian variety, and the second cyclic 
group G 2 is a multiplicative subgroup of a finite field. 

55. (Original) The method of claim 52, wherein the function e is a bilinear, non- 
degenerate, and efficiently computable pairing. 

56. (Currently amended) The method of claim 52, wherein: 
so is an element of the cyclic group Z Iql ; 

Q 0 is an element of the first cyclic group Gf, 

each of the elements P zi is an element of the first cyclic group G,; 

each of the elements P yi is an element of the first cyclic group Gi [[G]]; 

each of the lower-level key generation secrets s zi is an element of the cyclic group 

Z IqZ ; 

each of the lower-level key generation secrets s yi is an element of the cyclic group 

Z Iql ; 

each secret element S zi is an element of the first cyclic group O,; 
each secret element S yi is an element of the first cyclic group G,; 
each of the lower-level key generation parameters Q zi is an element of the first cyclic 

group Gr, 
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each of the lower-level key generation parameters Q yi is an element of the first cyclic 



group Gf, 



the recipient element P z ( n +i) is an 



element of the first cyclic group Gf, 



the sender element P y (m+1) is an element of the first cyclic group Gf, 

the recipient secret element S,„ +1) is an element of the first cyclic group Gf, 

the sender secret element S* m+1) is an element of the first cyclic group Gf, 

r is an element of the cyclic group Z IqZ ; and 

g is an element of the second cyclic group G 2 . 

57. (Original) The method of claim 52, wherein encoding the message M further 
includes: 

selecting a random parameter r, and 

encoding the message M to generate a ciphertext C = [Uo, U M , . . • , ^ V], 

PW r/-rP for 2 </<n+l, wherein V = M©H 2 (g r ), wherein 
wherein Uo - rs B P and Ui - rf v ior l _ 

g = e(Go, P*\ wherein , B P is the recipient public key, and wherein 



8yl 



; and 



decoding the ciphertext C further includes: 

recovering the message Musing M -VQHA^^^yj 
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58. (Original) A method of claim 57, wherein both the first cyclic group Gi and the 
second cyclic group G 2 are of the same prime order q. 

59 (Original) A method of claim 57, wherein the first cyclic group Gi is an additive 
^pofpointsonasupersingularellipticcurveorabelian variety, and the second cyclic group 

G 2 is a multiplicative subgroup of a finite field. 

60 . (Original) A method of claim 57, wherein the function e is a bilinear, non- 
degenerate, and efficiently computable pairing. 

61. (Original) A method of claim 57, wherein: 
So is an element of the cyclic group Z IqZ ; 

go is an element of the first cyclic group On 

each of the elements P d is an element of the first cyclic group Gl ; 

each of the elements P yi is an element of the first cyclic group G; 

each of the lower-level key generauon secrets * is an element of the cyclic group 

Z IqZ ; 

each of *e lower-,eve, key generation secrets r„ is an element of the cyclic group 

Z IqZ ; 

each secret element S zi is an element of the first cyclic group Gf, 
each secret element S, is an element of the first cyclic group Ch; 
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each of the lower-level key generation parameters & is an element of the first cyclic 
group Of, 

each of the lower-leve, key generation parameters ft, is an element of the first cyclic 
group Or, 

the recipient element P z(n+1) is an element of the first cyclic group Gf, 
the sender element P y (m+1) is an element of the first cyclic group 0»; 
the recipient secret element S,„ +1) is an element of the first cyclic group Of. 
the sender secret element S* m+1) is an element of the first cyclic group Or, 
r is an element of the cyclic group Z IqZ ; and 



is an element of the second cyclic group G 2 . 



62. (Original) A method of claim 52, further comprising: 

selecting a third function H 3 capable of generating an integer of the cyclic group Z /«Z 

from a two strings of binary digits; and 

seeing a fourth function H. capable of generating cue binary string from another binary 

string; 

wherein encoding the message M further comprises: 
selecting a random binary string o G {0,1 } n ; 
computing a random integer r = Ma, Af); and 

generating the ciphertext C = [U 0 , U M , • • • . ^ ^ ^ wherein = ^ ^ 
= ,P, for 2 < i < n + l, wherein V = M 0 W), wherein g = *flo. P<0, wherein , e P is the 
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recipient public key and wherein W = wherein W = E „ W) (M), E is a secure symmetrrc 
encryption scheme, and H**, is the key used with E, wherein g yl I g(g y(W) , P yi ) ^ ' 



cr = V0H 



wherein decoding the ciphertext C further comprises: 
recovering the random binary string a using 



and 



recovering the message M using M-E 1 hk«) (W). 

63. (Onginal) A method of claim 62, wherein both the first cyclic group G, and the 
second cyclic group G 2 are of the same prime order q. 

64. (Original) A method of elate, 62, wherein the firs, cyclic group O, is an additive 
^„„p of points on a superstngular elliptic curve or abeltan variety, and the second cyclic group 
G 2 is a multiplicative subgroup of a finite field. 

65. (Original) A method of claim 62, wherein the function i is a bilinear, non- 
degenerate, and efficiently computable pairing. 

66. (Original) A method of claim 62, wherein: 
5o is an element of the cyclic group Z Iql ; 

Q 0 is an element of the first cyclic group Or, 
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each of the elements P zi is an element of the first cyclic group Of, 
each of the elements P yi is an element of the first cyclic group O, ; 
each of the lower-level key generation secrets „ is an element of the cyclic group 

Z IqZ ; 

each of the .ower-leve. key generation secrets s„ is an Cement of ,he cyclic group 

Z IqZ ; 

each secret element S zi is an element of the first cyclic group Of, 
each secret element S yi is an element of the first cyclic group Of, 
each of the lower-level key generation parameters Qzi is an element of the first cyclic 

group Or, 

each of the lower-leve, key general parameters Q„ is an eletnen, of me firs, cyclic 
group Gr, 

,he recipient dement P^ n is an element of the firs, cychc group G,; 
the sender element P >tKt> is an elemen, of the firs, cyclic group G,; 
me recpien, secret elemen. 3** is an e.emen. of me firs, cyclic group 0,; 
the sender secret elemen. S^t, is an elemen. of .he firs, cyclic group O, 
r is an element of the cyclic group Z IqZ ; and 
g,, is an element of the second cyclic group ft. 
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67. (Original) A method of claim 62, further comprising: 
authenticating the ciphertext C by: 

computing an experimental random integer r = ft(«r. M); and 
confirming that U 0 = r'F 0 and Ui = r'P zi for -W < i < n + L 
68 (Original) A method of sending a digital message between a sender and a 

the rectptent possesses authonzation from the authorizers, the method comprising: 

private key is a secret of the recipient; 

t Vpv < f 1< i < n) for each of the authorizers, wherein each key secret 
generating a secret key s, ( 1 s 1 - n ' 1U1 

key is known to its associated authorizer; 

generating a public key for each of the an—, wherein eaeh pubhc key is general 
using at least the secret key for its associated authorizer, 

generating a signature for eaeh of the authorizers by signing a string of binary dtgits M 

with the secret key of that authorizer; 

encrypttng the digital message to ton. a ctphertex, using a, leas, the recipient's pnbltc 
Key, the strings of binary dtgtts M, signed by the authorizers, and the pub.ic keys of the 
authorizers; and 
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decrypting the ciphers using at least the recipient's private key and the signatures 
generated by the authorizers. 

69 (Ongtnal) The method of Cain, 68, wherein at .east one of the strings of binary 

authorizers. 

70 . (Original) The method of ciairu 69, wherein at lens, one of the strings of b.nary 
digits is generated from information comprising the rdenuty of me recrpient. 

7 , . (Original) The method of claim 69, wherein at ieast one of the smugs of b.nary 
digits is generated from information comprising the recipient public key. 

72 (Original) The method of claim 67, further comprising: 
g e„eradn g afirs,cyc,icgroupG, of elements and a second eycltc group G, of elements; 
acting a functton i capable of generaring an element of the second cyclic group G 2 
from two elements of the first cyclic group G,; 

selecting a generator P of the firs, cyclic group ft; 

selecting a key generation secret of an authorizer as s,; 

assigning the public key of an authorizer as s,P; 

from the string of binary digits Mi 
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♦ p fnr each of the authorizes, wherein P m = Hi(SiP,Mj) for 
generating a element P Mi tor eacn 01 me 

1 < i < n\ and 

73. (Original) The method of claim 72, wherein both the first group Gi and the 
second group G 2 are of the same prime order q. 

74 (Origina.) Theme.hodofc.a,m72,whereinthef,rstcyclicg«.upG,isan 

group Gi is a multiplicative subgroup of a finite field. 

75 . (Ortgrnal) The method of claim 72, wheretn the function t is a bilinear, non- 
degenetate, and efficiently computable pairing. 

76. (Onginal) The method of Cain, 72, wheretn each of the key generauon secrets 
st is an element of the cyclic group Z IqZ ; 

each of the public keys S, ts an element of the first cyclic group G,; 
each of the elements P„, is an element of the first cyclic group Or. and 
the recipient private key s is an element of Z /qZ . 

77 (Currently amendeO) A method of sending a digital message between 
.a.recprentinapublickeyencryptionschemeeotnprisrngthesendeMherecprentanda 

^hyofaumon.ersrncludingatleastarooraurhori.erandnlower-levelauthori.erstnthe 
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can decryp, the digital message o„.y if .he recipien, possesses —ion fro, .he authorize,, 
the method comprising: 

private key is a secret of the recipient; 

getting a secret key s, for rhe roor authorizer aod each of the iower love, authorize,, 

wherein each key secret key is known to its associated authorizer; 

general a public key for the root authorizer and each of the authorize,, wherein each 
public key is generated using a. .east the secret key for its associated authorizer; 

certifying doeumenrs each comprising the pubhc key of each of .he lower level 
authorize, to generate a srgnatnre, wherem rhe document compnsing the publtc key of each 
lower level anrhorizer is certified by the authorizer above i. in the hierarchy; 

certifying a documenr comprising the recipien. public key, wherein .he document is 
certified by the authorizer .mmediately above the recipient in me hierarchy; 

encrypung .he digital message to form a ciphertex, using a. leas, me recipient's pubhc 
key and .he public keys of .he authorize, and the document; and 

decrypting the ciphertex. using a. leas, .he recipient's privare key and .he signatures 

generated by the authorizes. 

78 . (Cunently amended) The method of claim 77, wherem a, least one of .he puMe 
ii ^ Me ^ .sM— is relared ro a parameter determtnnrg a validity period 
of the signatures generated by the authorizes. 
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79 . (Original) The method of claim 77, where* at least one of the stnngs of binary 
digits is generated from information comprising the identity of the recipient. 

80. (Onginal) The method of claim 77, wherein at least one of the strings of binary 
digits is generated from information comprising the recipient public key. 

81 (Original) The method of claim 77, further comprising: 

selecting a function I capable of generating an element of the second cyclic group G 2 
from two elements of the first cyclic group G,; 

selecting a generator P of the first cyclic group O,; 
assigning the secret key of an authorizer as «; 
assigning the public key of an authorizer as Si P; 

selectingafirstfunctionH.apableof generating an element of the fust cychc group G, 

from the string of binary digits; 

generating an element P m for eaeh of the rower level anthorizers, wherein 

anthonzer intmedtately below that authorizer in the hierarchy; and 
signing the elements Pm to generate the signatures S, = s,P m . 
82. (Original) The method of claim 81, wherein both the first group Gi and the 
second group G 2 are of the same prime order q. 
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83 (Original) The method of claim 81. wherein the first eyclic group Oi is an 
^ivegroupofpointsonasupersingulaxelliptiecu^ 
group 0 2 is a multiplicative subgroup of a finite field. 

84. (Original) The method of claim 81. wherein the function * is a bilinear, non- 
degenerate, and efficiently computable pairing. 

85. (Original) The method of claim 81, wherein each of the key generation secrets 
s, is an element of the cyclic group Z IqZ ; 

each of the public key S, is an element of the firs, cyclic group Grt 
each of the elements P„, la an element of the firs, cyclic group Ch; ^ 
rhe recipient private key . is an element of the cyclic group Z IqZ . 

86. (Original) A method of encrypting and decrypting a digital message between a 
sender and a reciprent ,„ a pubUc-key encryption scheme comprising the sender, the recipient 

recipient, the method comprising: 

(a) generating a recipient public key/ recipient pnvate key pari; wherein the recipient 

private key is a secret of the recipient; 

(b ) selecting a key generation secret known to the authorizer; 

(c) generating a recipient decryption key assorted with time period i, wherein the 
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where* recipten, decryption keys associated with time periods eariier than i, but no, the 
recrpien. decryption keys assorted with rime periods ,ater than i, can be generated front tbe 
reerpient decryption key associated with time period i; 

(d) encrypting the digital message to for™ a c,pherte« using at leas, the recipient 
public key, the time penod parameter associated with time period i or a rime penod paramerer 
associated with an earlrer rime period, and a recipient encryption key to create an encrypted 
digital message; and 

W decryprrng the crpheriext using a, ieas. the recipien, private key and .he recrpienr 
decryption key associated with rime period i. 

87. (Original) The method of claim 86 wherein the reerpient decryption key 
associated with time period i in related ro information identifying the recipient. 

88. (Original) A merhod of sending a digital message belween a sender and a 
r ecipien. in a public-key encryption scheme comprrsing the sender, a pluraliry of clients 
ending the reerpient, and an authorize, wherein the digital message is encrypred by the sender 
and decrypted by the recipienr, the method comprising: 

(a) generating a recipient public key/ recipien. private key pair for the recipient; 
wherein the recipient private key is a secret of the recipient; 

(b) generating a unrque binary string associating the recipient with a ,eaf node in a B- 



tree; 
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(c) generanng an unique binary string associated with each ancestor node of the 
recipient leaf node; 

(d) generating an encryption key for the recipient .eaf node and for each of the 

with at least the binary string associated with that node; 

(e) generating a master secret known to the authorize* 

» generadng a recipient decryption key associated with an ancestor node of the 
^enUeaf node, wheretn the ancestor node, no, an ancestor of a ,eaf node associated wttha 
di e„. not authonzed by the authorize,, wheretn the recipient decryptton key is associated with at 

decryption key associated with an ancestor node of the rccipten, ,eaf node forms a prtvate key/ 
pnhhc key pair with the encryption key assoctated with the ancestor node of the recipient leaf 
node; 

(g) encrypdng the digital message to create an encrypted digital message ustng at 
^dte^pientpub.ickey.and.heenayprionkeya associated with .he recipient .eaf node and 

ancestor nodes of the recipient leaf node; and 

00 decrypting the encrypted digital message using a, least the rectptent pnvate key 
and the rectpient decryption key associated with an ancestor node of the recipten, ,eaf node. 

89 (Original) The method of claim 88, wherein the encryption key for the rectpient 

penod parameter def.ntng a validity period for the decrypdon key associated w„h that node. 
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90. (Original) The method of claim 89, further comprising generating a long-lived 
certificate for .he recipient, wherein the certificate comprises the tectpien, puhlic key, the 

associating the recipient with the leaf node in a B-tree, and .he validity period parameter. 

91. (Original) The method of claim 88, wherein .he nodes in the B-,ree are assented 
with points on an elliptic curve or abelian variety. 

92. (Original) The method of claim 88, wherein the btnary suing associating the 
recipient with a leaf node in a B-«ree is generated by a method comprising: 

choosing a binary string associated with the root node of the B-.ree; 

generattng a binary string associated with each ancestor node of the recipient leaf node 
except for the root node, wheretn .he btnary string associated with each ancestor node o, the 
recpientleaf node exceptfor the root node is generated using at , east the bmary string assented 

with the parent of that node; and 

generattng a binary string associated with rectpten, leaf node, wheretn the binary smug 

of that node. 

93. (Original) The method of claim 88, wherein the binary suing associating the 
recipient with a leaf node in a B-tree is generated by a method comprising: 
choosing the btnary string associated with each recipient leaf node; 



38 



Atty. Docket No. CA1261 
PATENT APPLICATION 

PRELIMINARY AMENDMENT 

generating the binary string for the ancestor nodes of the recipient .eaf node, whereto the 
btnary string for each ancestor node of the tecipien, .eaf node is generated nsing at leas, the 
binary strings associated with the child nodes of that node. 

94. (Original) The method of claim 93, wherein the B-tree ts a Merkle ttee. 

95. (Original) The method of claim 88, whetein the decryption key for the node 
providing cover for the recipient leaf node is generated by the method comprising: 

(a) generating a firs, cyclic group O, of elements and a second cyclic grottp fe of 

elements; 

(ft) selecttng a firs, function Hi capable of generating an element of tine firs, cyclic 

group Gi from a first string of binary digits; 

(c) generating an identifying string for the node providing cover for the for the 
r ec,p,ent leaf node P_ - «,« wheretn Inf, is re.ated .0 the btnary string associated with 
that node; and 

(d) generating a secret element S . *P- for each node; wherein the secret elemen. S 
is ,he decryption key for the node providing cover for the for tire recipient leaf node. 

96. (Original) The method of claim 95, wheretn .he identifying strtng for the 
decryption key for the node providing cover for .he rectpten, leaf node is also associated with .he 
validity period parameter. 
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97 . (Onginal) The method of claim 88, wherein the digital message is encrypted by a 
method comprising: 

W general a firs, cyclic group Gi of dements and a second cycHc group 0 2 of 
elements; 

(b) selecting a function i capable of general an element of the second cyclic group 
G 2 from two elements of the first cyclic group G,; 

(c) selecting a generator P of the first cyclic group Gf, 

(d) generating a key generation parameter Q = s c P; 

(e) selecting a first function ft capable of generating an element of the first cyclic 

group Gi from a first string of binary digits', 

(0 seeing a second function tit capab.e of generating a second string of binary 

digits from an element of the second cyclic group Gi, 

00 generating an identifytng string ft* = »<**> «• each of m nodes defining the 

binary string associated with that node; 

selecting a random key generation secret r; 

encrypting the digital message to form a ciphertext C; wherein C is set to be: 
C = [rP, V„ ..... V J. where V,=M © H 2 (e(P, P^OTJ). «P. P-D - G 2 andP nodei is 
the identifying string associated with node i, i = 1, . . . ., m; and 

encrypting a part of the ciphertext with the recip.ent public key PK B - 
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, t io;^Q-7 wherein Inf R is also associated with the 

98. (Original) The method of claim 97 , wherein mi B 

validity period parameter. 

99. (Onginal) The method of claim 97, wherein both ihe first group G, and the 
second group G 2 are of the same prime order q. 

100 (Original) Theme,hodofclaim97,wherein.hefirs.cyclicgroupG,isan 
additlv e group of pomtsonasupersingularellipt.ccurveorahehanvariefv.and.he second cyclic 
group G 2 is a multiplicative subgroup of a finite field. 

10 1. (Original) The method of claim 97, wherein the function e is a bilinear, non- 
degenerate, and efficiently computable pairing. 

102. (Original) The method of claim 98,wherein 
s c is an element of the cyclic group Z IqZ ; 

Q is an element of the first cyclic group Gf, 

Identifying string P node is an element of the first cyclic group G, ; and 
the secret element 5 is an element of the first cyclic group Gi. 

103 (Currently Amended) A method of sending a digital message between a sender 
andare ci^ 

inclu dingthereci P ient,andanauthon Z er,whereinthed^ 
and decrypted by the recipient, the method comprising: 
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(a) generating a recipient public key/ recipient private key pair for the recipient; 
wherein the recipient private key is a secret of the recipient; 

(b) generating a binary string associated with the root node of the B-tree, wherein this 
bl nary string is related to a validity period parameter defining a validity period for a decryption 
key for a node providing cover for the recipient leaf node; 

(c) generating a unique binary string associating the recipient with a leaf node in a B- 

tree; 

generating an unique binary string associated with eaeh anees.or node of the 
reeipten, ,eaf node with the exception of rhe roor node, wherein this binary string U associated 
with the position of its associated node in the B-tree; 

ieM generating an encryption key for the recipient leaf node and for each of the 

with at least the binary string associated with that node; 

m <e> generating a first master secret and a second master secret known to the 

authorizer; 

m generating a decryption key for the node providtng cover for the recipient leaf 
node, wherein the node providtng cover for the tectpien, leaf node is no. an ancestor node of a 
,eaf node of a recipient no. authorized ,„ decryp. a message, where.n .hrs decryption key is 

wi«h .he node providing cover for the rectpten. leaf node and ancestor nodes of .he node 
provrding cover for the recipient lea, node and wheretn the decryption key forms a privare key/ 
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pub Uc k ey pa, w„h the encryption Key associated with the node providing cover for the 
recipient leaf node; 

a» encrypting the d.gitai message to create an encrypted d,g,.a, message us.ng a, 

ancestor nodes of the recipient leaf node; and 

m decrypting the encrypted digital message using a, >eas, the recip.en, private key 

^^^^^^^^^^^ 
node. 

104 (Origina,)The merhod of e.aim 103, further comprising generating a long-lrved 

^.seriafnum^, wherein , h e recpient sena, numher ,s teiated to rhe hinary string 
asaocarrngtherecpren, with the ieaf node in a B-tree, and the vaiidr.y penod patamerer. 
105 . (Original) The method of efaim 103, wherein , he B-ree is a Meride tree 
,06. (Original) The method Cairn 103, wherein the hinary string associating the 
r ee,p,en« with a leaf node in a B-,ree is generated hy a method comprising: 

choosing a binary string associated with a chi.d of the root node of .he B-tree; 
g e„e ra ,ingahmarystringass„cia t edw„h each ancestor node of the reciprent leaf node 
^eptfortherootnodeandmechddof the r oo, node, wherein the hinary string assciated with 
^a.estornodeoftherecip.enrleafnodee.eptfortherootnodeandmeehildoftheroot 

node is g e„eratedus,»ga,leas,theh,nary string associate* with the pa«n, of tha, node, and 
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associa edwUh th e re c i p i e„Uea f noaeU g e n e rat e dUS1 n g a,,ea Stt He bl „^s t „n g o ft hepa re „t 
of that node. 

107. (Onginal) The method Cairn 103. wherein the btnary string associating the 
re cip,en« with a leaf node in a B-tree is generated by a method comprising: 
choosing the binary string associated with each recipient leaf node; 

racepIi o„ of the rootnode.wneretnthebtnaryslring.or each ancestor node of ,he rec,p,nt lea, 

with the child nodes of that node. 

,08. » The method darm 
with points on an elliptic curve or abelian variety. 

10 9. (Original) The method of Cairn 108. wherein the decryplion key for the node 
providtng cover for the recpien, leaf node is generated by the method comprising: 

W generating a firs, cyCic group O, of Cements and a second cyclic group G 2 of 

elements; 

(b) severing a ftrsr function Hi capabie of generattng a element of the firs, cyclic 

group G, from a first string of binary digits; 

(c, generating the identifying string for the root node in the B-tree Pm * = ftO-W 
and wherein Inf R is related to the validity period parameter; 
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* c c p j for the root node; wherein the secret 

(d) generating a secret element S R = s c Prnode tor the room 

element S is the identity-based secret-key for the root node. 

(e) generating the binary string associated with the node providing cover for the 

node, with th ee X ceptionofther 00 t-node,P b ,..P bl ... W ,whe re in the binary string associated 

providing coverfor the recipient leaf node is of the to P^ = H l(W 
to the position of that node in the B-tree; 

(f) generating a secret element: 

S = S, * x (ft, + ...+ ft. *) • *P f°' < te "° de P r0viding C0VCr te rcCiPie ' U kaf ' 
wherein ,he sec,, element S is Che decryption Key for the no* providing cove, for the rectpient 

leaf node. 

HO. (Original) The method of claim 103, wherein the digital message is encoded to 
create the encoded digital message by a method comprising: 

W generating a firs, cyclic group G, of elements and a second cycltc groop ft of 



elements; 



0» selecting a function e capable of generating an element of the second cyclic group 
G 2 from two elements of the first cyclic group O,; 

(c) selecting a generator P of the first cyclic group 0,; 

(d) generating a key generation parameter Q = s c P\ 
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W se,ec,i„g a firs, function H, capable of generating an eiement of the first cyciic 

group O, from a first string of binary digits; 

(f) se.ec.ing a second function H 2 capable of generating a second string of binary 

digits from an element of the second cyclic group 0 2 ; 

(g) generating the identifying suing for the root node in the B-«ree H,(InW, 
wherein Inf. is related to the validity period parameter; 

00 generating the btnary string assoctated with the rectpten, leaf node and for each 
a„ees,o, node of the rectpten. leaf node, wtth .he exeep.ion of .he roo,node, ft, ... ft— 
wh e K i„,hebmary S ,nn g merec,pien, 1 ea f node and for each ances.or node of .he rectpten, ,eaf 
no de 1 s„f.He f otmft.,= H,(.nf B ).where i nInf B isre,,ed,o,he P os i „onof,ha,node,„,heB- 

tree; 

(i) selecting a random key generation secret r; 

0 ) encrypting the digital message to fonn a ciphertext C; wherein C is set to be: 

/p , +PjH hm) VI where V=M©H 2 (e(P,^f))- 
C = [rP,r/V .....r(P»i +..•+«' bm >> VJ ' W1 

e(P, Pmode) e G 2 ; and 

W encrypting a part of the ciphertext with the recipient public key PK B . 
U1 . (Original) The method of claim 110, wherein both the first group G, and the 
second group G 2 are of the same prime order q. 
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112. (Original) The method of claim 110, wherein the first cyclic group O, is an 
additive group of points on a supersmgular elliptic curve or abelian variety, and the second cyclic 
group G 2 is a multiplicative subgroup of a finite field. 

1 13. (Original) The method of claim 1 10 wherein the function e is a bilinear, non- 
degenerate, and efficiently computable pairing. 

1 14. (Original) The method of claim 1 10 wherein 
s c and x are elements of the cyclic group Z IqZ ; 

Q is an element of the first cyclic group Or, 

Identifying strings P node and P mode are elements of the first cyclic group Gi ; and 
the secret element 5 is an element of the first cyclic group O,. 



115. 



(Original) The method of claim 109, wherein the decryption key for the node 
providing cover for the recipient leaf node is updated to generate an updated decryption key, the 

method comprising: 

(a) choosing a validity period for the updated decryption key; 

(b) choosing a new value for the second master secret x; and 

(c) generating the updated decryption key, wherein the updated decryption key is 
associated with an ancestornode of the recipient leaf node, wherein the ancestor node is not an 
ancestor of a leaf node associated with a client not authorized by the authonzer dunng the 
validity period for the updated decryption key, 
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wherein the updated decryption key is related to the first master secret ,« the second 
m aster secret x, the new value for the second master secret x, and the binary stnngs associated 
with the ancestornodeof the recipient leaf node and ancestor nodes of the ancestor nodeof the 
recipient leaf node and wherein the decryption key forms a private key/ public key pah with the 
encryption key associated with the ancestor node of the recipient leaf node. 

1 16. (Original) The method of claim 115, wherein the updated decryption key is of the 



form: 

s c (Pti + Pt2) + xiPbi + • • • + XmP(bi..bm), wherein 



s c is the first master secret; 

P T1 is the binary stnng associated with root node during the validity period of the 
decryption key; 

ft, is a binary string associated with root node during the validity period of .he updated 
decryption key; 

Xl . . . x m are associated with the second master secret and the new value for the second 
master secret; and 

P W .... P,s,«. are .he binary smugs assorted with node providing cover for .he recip.en, 
ieaf node durrng the validity penod for the upda,«d decryption key and the ancestor nodes of this 
node except for the root mode. 
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